Which detection method is generally better at identifying previously unseen threats by looking for deviations from normal traffic?

Anomaly detection models normal network behavior and flags anything that diverges from that baseline. Because previously unseen threats don’t match known patterns, they often reveal themselves as unusual activity, making anomaly-based approaches well-suited to catching zero-day or novel attacks. Signature-based detection, by contrast, relies on predefined patterns of known threats and therefore misses new techniques that don’t yet have a signature. Saying both would imply they’re equally capable of spotting unknown threats, which isn’t the case, and Neither isn’t accurate because anomaly detection does provide this capability. So the method best at identifying unseen threats by looking for deviations from normal traffic is anomaly detection.